jzelinskie
commented
3 years ago This is a great question.
When the terms RBAC or ABAC are used, they often assume lots of unspoken details. Today, SpiceDB is capable of modeling RBAC or ABAC with many different variations of those unspoken details.
You can implement node-based attributes by simply creating a relationship like attribute:friendly#haver@user:emilia. In this example, the subject, the user Emilia, has a relation "haver" with the attribute "friendly". I call this node-based because it is only capable of assigning this attribute to nodes, like Emilia.
There are other ways you might require attributes like on the edges (e.g. relations in SpiceDB) or or count-based which is actually not associated with any part of the graph, but rather a threshold for the number of occurrences of attributes on the graph (e.g. Alex has 5 mutual friends with Jenessa). Edge-based is probably possible today with some careful schema design, but none of us have personally tried to write one yet.
We're considering fleshing out more attribute-based functionality, but we'd like to see people try and model what they can with what we've got, before we design new functionality to support more sophisticated workflows.
I highly recommend running through this paper to learn a bit more about what I've discussed in this comment. I'd love to open an issue to discuss the design of a potential policy system similar to what is described.
EDIT: SpiceDB has since added functionality called Caveats that can more easily address ABAC models.
spicedb is a great program! Until then, we have been following and using Ory keto. Recently we are planning to use spicedb to build our new authorization system. README describes that you can build authentication models like ABAC based on ReBAC, but I didn't find an example about this, am I missing something?
Thanks : ) !